Friday, March 19, 2010

Malware case: Day 1

Here's the case:

A customer of mine called today because they suspect they have a virus or other malware. I picked up the machine and am capturing an image with FTK-Imager-lite as we speak. I am going to clean the live PC and give it back to the customer and use the image to attempt to figure out exactly what the infection mechanism was. I will detail my processes and findings here on the blog in hopes of attracting tips, comments and guidance from anyone in the audience.

Case background:

Customer complaint of popups and slow overall performance on March 18th 2010.
Collected PC in a powered down state from the customer site March 19th at 0945
Extracted hard drive at 1200 March 19th.
Mounted Read-Only on my Ubuntu workstation at 1205 and began imaging with FTK-lite from a WinXP VM at 1212, raw image format, dumping to Fantom 1 TB USB drive formatted NTFS, clean wiped using dd.
Estimated image completion time is ~12 hours.

Infected machine specs:
HP DX2300/XP Pro SP3/Trend Micro Antivirus/1GB RAM/Core2 Duo/160GB Sata HD

Once imaging is complete I will boot up the machine and capture RAM using memoryze for later analysis.

Any and all suggestions are welcome.

More to follow....


  1. 1. Fire up the image in Live View so that you can capture volatile data and RAM. With vmware, you can just snapshot the image and use the .vmem file...that is effectively a RAM dump of the vm session.

    2. Generate a timeline of the active filesystem, registry, and local system logs. Use that to peep the day (to include a few days prior) to the incident and see if you can determine how the malware made it on to the and when.

    3. When you identify the malicious binary, don't reinvent the wheel. See if there is a signature on Bit9 and VirusTotal. If so, then your work is pretty much complete...there should be a write-up somewhere on the net as to what the malware does and how to remove it.

    4. If not, you can work on doing some dymanic analysis of the mawlare using winalysis, wireshark, etc.



  2. Unfortunately the machine has been acting up for a few weeks, so it won't be quite so easy to find. I was actually planning on doing a virus scan to try and pinpoint malicious .exe's and dll's and then go through a timeline to find when they were created. Also going to try to tie it to a particular website visit or download.

    How do you load a raw image into vmware?

    What is LiveView?

  3. Liveview is an open source application which allows you to boot the "suspect" computer using the RAW image file. It uses a few VMWare programs as well as the actual LiveView program. The documentation is quite easy to follow and best of all, the process is free.

    There are commercial programs which allow you to mount an image as a logical drive (Mount Image Pro) as well as programs that can take this further and allow you to boot the mounted drive (VFC).

  4. This is exactly why I started this blog. I had no idea the LiveView capability even existed. It's downloaded, installed and added to my repertoire.

    Thanks for the tips.

  5. 1. You're already shut the system down, so acquiring memory has taken a lower priority. You mentioned that this system is for a customer, so someone is paying you for your expertise; working with LiveView is a good idea, but not something that you want to be doing on the customer's dime. Complete the acquisition, verify the image, and make a working copy of the image.

    2. Extract file system metadata from the image, as well as timeline data. Be sure to collect Prefetch data, Restore Point data, etc.

    3. Once you have the data, mount the image read-only using ImDisk (or, if you can afford it/have it, SmartMount) and scan the file system with several AV scanners. This appears, on the surface, to be a malware issue, so attempting to locate the malware while performing other tasks is just...efficient.

    4. Construct your timeline. I'd focus on identifying malware (all of it) and associating it with autostart locations. This will give you something you can scan for across the enterprise to look for other infected systems. I'd also try to determine how it got there, so that you can inform the customer what they can do to address this issue and prevent it from happening in the future.

    This all assumes, of course, that these are your customer's goals.


  6. Great stuff. I've already done most of the above. I'll be updating my blog tonight(hopefully). Turned out to be a toolbar/browser redirector that I've already removed. I'm processing the rest of it just for the experience and because now that I have the skills, I can't stand not knowing how it got there.

    Thanks for the great advice.

  7. Grayson,
    How about a post regarding how you've been preparing for the exam. Main books, websites, etc. That would be interesting and you'd probably get a lot more suggestions for future study.

    I like you blog. I've done some wannabe forensics and found it facinating. Go man, go!

  8. I totally agree to Harlen. Before shutting down the machine, collect the volatile data. It might contain lot of evidence which will help you crack the case.

    Also look into the registry entries of startup. See what all files get executed when the system is booted. Use Msconfig--->Startup to see all the files loaded at startup.